Post categories

Meta

Poor-quality passwords at a major Canadian bank

At TD-Canada Trust I just noticed their passwords must conform to the following ridiculous password policies:

be 5 to 8 characters in length

not contain spaces or special characters (e.g. #, &, @)

Now I have no inside knowledge of what TD is using to store their passwords, and I have no inside knowledge of what hardware and software they are employing to protect their network. However, this password policy is both strange, and incredibly scary. A 5 to 8 character password is not very strong, and mandating that it NOT contain special characters further weakens the strength of the password! The rest of the internet is trying to make passwords stronger, and this major Canadian bank is forcing its customers to use weak passwords!

These are VERY weak passwords

With only a to Z and 0-9 there are 26*2 + 10 = 62 possible characters for each position, which means there are 62^8 = 218,340,105,584,896 possible TD EasyWeb passwords. This sounds like a large number, but it’s really not. Here’s why…

Let us assume that this bank is using IBM WebSEAL – which is very popular with banks and insurance companies – and incredibly it only supports SHA1 for password hashing (in version 6.1 at least). This is a VERY poor choice for mathematically protecting passwords.

A free and easily accessible tool such as Hashcat can try 2,136,000,000 SHA1 password combinations a second on a Windows 7 x64 bit computer with a single AMD graphics card. This number goes up when you add more of these graphics cards to your computer.

So if we take the total possible number of passwords and divide them by the speed at which Hashcat can crack those passwords, we get: 102,219 seconds, or 28 hours! We can reverse-engineer every possible hashed SHA1 8-character password in a little over a day with an average computer. Of course, if we could get the list of user-ID/passwords for their website then we wouldn’t need to crack every single possible password, we could just crack the ones that are actually used.

So if we can steal get the log-in credentials for TD EasyWeb then we could easily reverse engineer these passwords and log in to EasyWeb. That’s a pretty big if, but it’s not impossible.

Of course, you probably use your bank password at other websites as well – it’s supposed to be secure right? So if attackers can get this password where else can they now get access to?

The recent TD Denial of Service

What makes this low-strength password policy scary is that on Friday TD Bank was recently hit by a “targeted” distributed denial of serviceattack. A denial of service attack is when attackers use hundreds of computers around the internet to bombard a website with requests, overloading the webservers and preventing legitimate users of the website can’t get through. The bank has said that “the security breach did not compromise clients’ accounts or personal data.”

However, attackers frequently use denial of service attacks to camouflagedata breach attacks. In December of 2012 the US Treasury Department issued a statement saying:

A DDoS attack seeks to deny Internet access to bank services by directing waves of Internet-based traffic from compromised computers to the bank. … Fraudsters also use DDoS attacks to distract bank personnel and technical resources while they gain unauthorized remote access to a customer’s account and commit fraud through Automated Clearing House (ACH) and wire transfers (account takeover).

So while the bank has indicated that no data was lost, if this DDOS was actually camouflage for a data breach it may be some time before the nature of the breach surfaces.

Conclusion

Again, I have no inside knowledge of TD’s systems, security measures, password storage mechanism, etc. I am just a concerned computer security person writing about a possibility. It is my sincere hope that TD uses incredibly strong password hashing algorithms combined with secure password salts. I also hope that this DDoS attack was launched by a bunch of script-kiddies or a group like Izz ad-Din al-Qassam Cyber Fighters that are just looking to disrupt things for the bank for a while.

Nevertheless, if you bank with TD EasyWeb then I recommend that you change EasyWeb your password, and any other websites using that same password. If during the DDoS the attackers were able to compromise TD’s systems and steal their credential data (user IDs and passwords) then changing your password now could help protect your bank account. If no data was stolen, you probably haven’t changed your banking password in a while anyway and changing it now to something new is a good idea anyway. 🙂

Robert

PS. If you’re looking to improve your passwords in general, then I strongly recommend you check out KeyPass password manager. It’s free and can create very strong and very long passwords – and then it remembers them for you. 🙂

The only place I can find their password policies is on the change password page. What’s strange to me is that limiting the allowed characters or length of the password would actually be MORE difficult to program and to test than simply allowing any characters and any length – assuming they’re using proper hashing techniques.

I can only assume that:
1. The banks are not correctly hashing and salting the passwords, which is why they don’t want special characters, or
2. The banks are more concerned about people loosing their password and calling the bank’s call centre (which incurs a cost to the bank).

I think that building a page with their password policies would be an interesting idea. If anybody out there can send me a screen shot of your bank’s change-password page I’ll happily include it with the banks that I can demonstrate. Please make sure that there is no personal information on the screen shot (and if there is, I’ll remove the sensitive bits before posting).

I’m also looking into Trusteer, because I’ve heard several things about it…